(version 1)

;; Parameters:
;;   TOR_DATA_DIR         directory that contains writeable config, e.g, torrc
;;   TOR_STATIC_DATA_DIR  directory for read-only config, e.g., torrc-defaults
;;   TOR_BIN_DIR          directory that contains tor binaries, e.g., tor.real

(deny default)

(allow file-read* file-write-data file-ioctl
       (path "/dev/dtracehelper")
)

(allow file-read*
       (subpath (param "TOR_BIN_DIR"))
       (subpath "/usr/local")
       (subpath (param "TOR_DATA_DIR"))
       (subpath (param "TOR_STATIC_DATA_DIR"))
       (subpath (param "TOR_BIN_DIR"))
       (path-regex "/private/tmp/Tor[-0-9]*")
)

(allow file-read-data
       (path "/dev/random")
       (path "/dev/srandom")
       (path "/dev/urandom")
       (subpath "/usr/share")
)

(allow file-read-metadata
       (path "/etc")
       (path "/private/etc/localtime")
       (path "/tmp")
       (subpath "/usr/lib")
)

(allow file-write*
       (subpath (param "TOR_DATA_DIR"))
)

(allow ipc-posix-shm-read-data
       (ipc-posix-name "apple.shm.notification_center")
)

(allow mach-lookup
       (global-name "com.apple.system.notification_center")
)

(allow network-inbound file-write*
       (path (string-append (param "TOR_DATA_DIR") "/control.socket"))
       (path (string-append (param "TOR_DATA_DIR") "/socks.socket"))
       (path-regex "/private/tmp/Tor[-0-9]*/control.socket")
       (path-regex "/private/tmp/Tor[-0-9]*/socks.socket")
)

(allow network-outbound
       (remote tcp "*:*")
)

(allow process-exec
       (path (string-append (param "TOR_BIN_DIR") "/tor.real"))
)

(allow sysctl-read)
